CVE-2026-43567 Overview
CVE-2026-43567 is a path traversal vulnerability in OpenClaw versions before 2026.4.10. The flaw resides in the screen_record tool's outPath parameter, which fails to enforce workspace-only filesystem boundaries. Attackers with low-level privileges can supply an outPath value pointing outside the workspace directory to write files to arbitrary filesystem locations. The issue maps to CWE-862: Missing Authorization and affects the Node.js distribution of OpenClaw. Exploitation can lead to integrity loss across the host, including overwriting configuration files, scripts, or binaries reachable by the OpenClaw process.
Critical Impact
Authenticated attackers can write attacker-controlled files outside the OpenClaw workspace, enabling tampering with system files and potential follow-on code execution through overwritten executables or startup scripts.
Affected Products
- OpenClaw (Node.js distribution) — all versions before 2026.4.10
- openclaw-tools agent module (src/agents/openclaw-tools.ts)
- pi-tools.read workspace guard module (src/agents/pi-tools.read.ts)
Discovery Timeline
- 2026-05-05 - CVE-2026-43567 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43567
Vulnerability Analysis
OpenClaw exposes an agent tool named screen_record that captures screen output and writes the resulting file to a path specified in the outPath parameter. The workspace guard wrapper, implemented in pi-tools.read.ts, was designed to validate user-supplied paths against the workspace root before any filesystem write occurs. However, the wrapper only validated a single hardcoded parameter key named path. Tools such as screen_record use a different parameter name (outPath) for their output destination, so the guard never inspected that value.
Because the guard skipped validation, the underlying tool resolved outPath directly against the host filesystem. Attackers can supply traversal sequences such as ../../etc/cron.d/payload or absolute paths to direct file writes anywhere the OpenClaw process can reach. The vulnerability requires authenticated access to the agent tool surface but no user interaction.
Root Cause
The root cause is missing authorization on a path parameter. The wrapToolWorkspaceRootGuardWithOptions helper iterated only over the parameter key path, leaving any tool that named its destination differently unprotected. The patched function accepts a configurable pathParamKeys list and validates each declared key with assertSandboxPath against the workspace root before execution.
Attack Vector
An attacker authenticated to OpenClaw invokes the screen_record tool and supplies an outPath value that escapes the workspace. The agent runtime forwards the value to the unguarded execute path, and the recording is written to the attacker-chosen location. No client-side interaction or social engineering is required.
// Patch from src/agents/pi-tools.read.ts — workspace guard now iterates configured path keys
root: string,
options?: {
containerWorkdir?: string;
+ pathParamKeys?: readonly string[];
+ normalizeGuardedPathParams?: boolean;
},
): AnyAgentTool {
+ const pathParamKeys =
+ options?.pathParamKeys && options.pathParamKeys.length > 0 ? options.pathParamKeys : ["path"];
return {
...tool,
execute: async (toolCallId, args, signal, onUpdate) => {
const record = getToolParamsRecord(args);
- const filePath = record?.path;
- if (typeof filePath === "string" && filePath.trim()) {
+ let normalizedRecord: Record<string, unknown> | undefined;
+ for (const key of pathParamKeys) {
+ const filePath = record?.[key];
+ if (typeof filePath !== "string" || !filePath.trim()) {
+ continue;
+ }
const sandboxPath = mapContainerPathToWorkspaceRoot({
filePath,
root,
containerWorkdir: options?.containerWorkdir,
});
- await assertSandboxPath({ filePath: sandboxPath, cwd: root, root });
+ const sandboxResult = await assertSandboxPath({ filePath: sandboxPath, cwd: root, root });
+ if (options?.normalizeGuardedPathParams && record) {
+ normalizedRecord ??= { ...record };
Source: GitHub commit 635bb35
Detection Methods for CVE-2026-43567
Indicators of Compromise
- File creation events from the OpenClaw process writing outside the configured workspace root, particularly to /etc/, /var/, user home directories, or scheduled task paths.
- Agent tool invocations of screen_record with outPath values containing .., absolute paths, or symlinks resolving outside the workspace.
- Unexpected .webm, .mp4, or other recording artifacts appearing in system or service directories.
Detection Strategies
- Audit OpenClaw agent logs for screen_record calls and parse the outPath argument for traversal sequences or absolute prefixes.
- Monitor filesystem telemetry for write operations originating from the OpenClaw Node.js process and correlate the target path against the declared workspace root.
- Apply behavioral rules that flag short-lived processes spawning from files written by the OpenClaw process outside its workspace.
Monitoring Recommendations
- Forward OpenClaw application logs and host process-file telemetry to a central analytics platform for retroactive hunting against the published indicators.
- Alert on modifications to high-value paths (cron directories, systemd unit files, shell profile scripts) by any non-administrative service account.
- Track invocation frequency and parameter values for all OpenClaw tools, not just screen_record, to surface abuse of other parameter keys.
How to Mitigate CVE-2026-43567
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which adds the pathParamKeys enforcement to the workspace guard.
- Restrict access to the OpenClaw agent interface to trusted operators and rotate any credentials shared during the exposure window.
- Review filesystem changes made by the OpenClaw service account since deployment and validate the integrity of files outside the workspace root.
Patch Information
The vendor fix is published in commit 635bb35b68d8faa5bfa2fda35feadd315122748a and detailed in GitHub Security Advisory GHSA-jf25-7968-h2h5. Additional analysis is available in the VulnCheck advisory. The patch extends wrapToolWorkspaceRootGuardWithOptions to validate every configured path parameter, including outPath, through assertSandboxPath.
Workarounds
- If immediate upgrade is not possible, disable the screen_record tool in the agent registration to remove the vulnerable parameter surface.
- Run the OpenClaw service under a dedicated low-privilege user with filesystem ACLs limited to the workspace directory.
- Apply mandatory access controls (AppArmor, SELinux) to confine the OpenClaw process write scope to the workspace path.
# Verify the installed OpenClaw version meets the patched release
npm ls openclaw
# Confirm the running process cannot write outside the workspace (Linux example)
sudo -u openclaw test -w /etc && echo "FAIL: writable" || echo "OK: not writable"
# Optional: restrict the service unit to the workspace directory
# /etc/systemd/system/openclaw.service.d/override.conf
# [Service]
# ReadWritePaths=/var/lib/openclaw/workspace
# ProtectSystem=strict
# NoNewPrivileges=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
